MuleSoft Titan, the company’s latest upgrade to its Anypoint API-driven application network platform, adds real-time API security, API monitoring and support for novel multi-cloud apps. The update is the first since MuleSoft’s acquisition by Salesforce.com. IDN discusses how Titan sets the stage for the next wave of API innovations with MuleSoft’s Aaron Landgraf.

"With this upgrade, we wanted to abstract away as much of the complexity behind integration as we can. Beyond that, we also [heard] pretty resounding feedback around advanced API security and for monitoring."

“With this upgrade, we wanted to abstract away as much of the complexity behind integration as we can. So the idea is to just power a broader set of users to do the process of building integrations and APIs with Anypoint,” Aaron Landgraf, MuleSoft’s senior manager for product marketing told IDN. “Beyond that, we also [heard] pretty resounding feedback around advanced capabilities for API security and for monitoring.”

Landgraf also mentioned that in talking with customers he found that as they more widely adopt APIs within their enterprises – for mobile apps, cloud integration and even partner portals – there is growing sensitivity to the state of their API-focused security.

“I think people are starting to realize that if they don't think about security and visibility when it comes to their API strategies in a few years, they're going to find themselves in a pretty sticky situation,” he said.

To respond to this API security gap head on, MuleSoft’s Titan offers an approach to protect every node of an app network using an API-focused model for securing and monitoring a distributed architecture. To accomplish this, Titan sports several key upgrades, including:

“With Anypoint Security, we’re simplifying how advanced security is delivered across the application network,” Landgraf said. Users will have an API approach to access control, authorizing and authenticating users and even for doing rate-limiting and throttling, he added. Titan also adds advanced security policies, such as denial-of-service prevention and content attack prevention.

“So to IT, it starts to look like bringing some of the notions of web application firewalls into the domain of the API Gateway. We're not telling our customers to move off of their web application firewalls. It's more: ‘Hey, this is giving you another layer of defense at the API Gateway layer.’” Landgraf explained. “The idea is to simply start to provide ‘layers of defensive’ [using APIs] in front of all the crown jewels of your enterprise.”

He noted Titan comes in response to customers who, as Landgraf put it, “ were starting to get pretty mature about stamping out what I would say are security schemas for the individual APIs. They’re noticing, ‘Hey every API that is exposed by this group needs to handle authentication and authorization in this way. Also, it needs to expose customer data in this way,’” Landgraf shared.

“We’re also hearing that customers also want to standardize on schemas and data types, but they also want the higher-order level of protection to provide more global protection across all of their individual APIs. They had technology, but it wasn’t as flexible as they would have liked to do things like policy domains. That’s where we believe Titan makes a difference.”

Titan also goes beyond this dimension of API security and adds protection for the actual data running inside the API-enabled pipeline.

API-centric Tokenization for securing sensitive data. “Many of our customers are aware they are tokenizing credit card data to reduce PCI Compliant scope. And they may again have a tokenization service that's delivering that capability. But there’s always room for more protection and visibility. So, Titan is also allowing customers to tokenize any data in motion flowing through the API,” he said.

We wondered if customers were really asking for an API-centric approach to encryption and related security.

Landgraf’s answer demonstrates just how API-centric some enterprises are becoming.

“So, what we’ve started to see is customers thinking a bit more broadly about how they can take advantage of tokenization and encryption technologies for things like PII data, email addresses, Social Security numbers, personal health information and so on.”

That ‘broad’ thinking is including APIs, and he shared an example. “So, one customer we spoke with recently said to us, ‘I want to move a bunch of production data into a development environment, but I want that data to maintain its format -- so that none of the downstream systems are impacted,” he noted. Another example is in DevOps, where a customer could secure connections between the pre-production and production environments through an API layer, which would make it easy to tokenize and de-tokenize data.

Mulesoft’s Titan update also targets this. “So at the API level, there's basically an algorithm that says ‘Hey if you send me something that looks like a credit card number. just send that anonymized, tokenized piece of data. All the downstream systems from the API will only see that tokenized version of that data,” he said. To aid in performance and management, there is no key to manage, he added. “We do this via ‘vault’ tokenization, so at the API Gateway we set up a tokenization table.”

Beyond its focus on API Security, Anypoint also adds deep support for real-time API monitoring and visibility. In specific,

Monitoring is becoming so much more crucial to business operations, not simply backend IT, Landgraf said. He pointed to a 2018 report from Global CIO which found that a single business transaction now crosses an average of 35 different systems – [Source: Top Challenges facing CIOs in a Cloud Native World]. https://www.dynatrace.com/cloud-complexity-report/

“As customers are building out complex networks, I think our customers are starting to feel this complexity. So the ability to have visibility, end-to-end as well, provides some confidence. So, if you see one issue has happened seven eight times over the past week or so, then you know you need to make adjustments," he said.

Doing this at the API layer provides an easy way to extract more data -- and more precise data -- across a network or individual transaction. “We’re bringing together end-to-end transaction tracing across API integration, application performance monitoring in real time, along with some pretty advanced log management into one unique [view].”

Anypoint Monitoring builds on the platform’s ability for watching integration and API management all in one a single environment. “With this latest announcement, we’ve enhanced those capabilities -- making more metrics available for consumption in diagnostics,” Landgraf said.

Further, though, with Anypoint Monitoring, Landgraf added that Mulesoft has “basically restructured and refactored our data lake fundamentally to allow customers to have visibility into both real-time traffic that is flowing through their application network (such as from Salesforce or a mobile app) all the way through to the backend database.” This even extends to a third-party integration target / source, such as an SAP implementation, thanks to Anypoint’s main focus on APIs and integration, he added.

The result: “When an issue occurs, not only can customers slice-and-dice the real-time information that's flowing from any endpoint through a network. They can also drill down to see what's happened over the last two minutes, the last 10 minutes, or whatever timeframe you wish,” he said.

Thanks to this collection of technologies, Titan can also help companies manage their compliance requirements, such as General Data Protection Regulation (GDPR), FedRAMP In Process, EU Data Residency and EU-US Privacy Shield, he added.

Titan also looks to the future, thanks to a new runtime fabric, Mule 4. It simplifies complex integration tasks and accelerates the speed of delivery. With up to 50% fewer concepts to learn and implement, Mule 4 empowers a broader set of users, from integration specialists to business owners, with access to payload data to quickly build application network nodes. Further, Mule 4 offers support for container services and a road to multi-cloud adoptions.

"For newer apps, customers tend to be looking for a CloudHub-like experience," Landgraf said. So, Mule 4 is designed to extend cloud options for the runtime beyond the fully-managed hosted Anypoint platform running on AWS. "We have customers that want all of the benefits of zero downtime upgrades but they can’t use publicly-hosted versions So this runtime fabric delivers a version that lets customers provision it in a data center of their choosing -- AWS, Azure or bare meta," he added.

“Anypoint Runtime Fabricis based on kubernetes and docker that we fully manage. Customer doesn't need expertise. We will be handle that,” he said.

It can read any data file type and transforms it into any consumable format such as CSV or XML, making “single-click conversion” faster than ever. It also manages streaming automatically, handling content caching, larger than memory payloads, and closing of streams for the user. It also can stream and access data concurrently in order to process and transform information at scale. Mule 4 now analyzes runtime conditions and makes adjustments automatically.

Titan Reactions from Analysts, Early Adopters

Early reaction for one analyst points to the growing role of APIs to future integration architectures.

“A single business transaction now crosses over dozens of different systems, and legacy security and monitoring systems can’t keep up. By leveraging a unified hybrid integration platform offering self-service and API-led connectivity capabilities, such as MuleSoft’s Anypoint Platform, IT teams can achieve a more holistic view of the organization and across different IT environments, while enabling developers to securely self-serve and innovate for the business.” noted Saurabh Sharma, principal analyst at Ovum.

Looking more broadly at MuleSoft’s Anypoint – and API-centric infrastructure, Sharma added: “The modern IT landscape is growing increasingly complex, and the pace of change for today’s IT team is unrelenting. The adoption of mobile, cloud services, microservices and the internet of things (IoT) have rapidly expanded the boundaries of the enterprise, while IT’s ability to gain visibility to detect security attacks, mitigate business risk, and operate at the same scale is constrained.”

One early adopter, JetBlue, noted that MuleSoft is helping it deliver innovation at scale. MuleSoft allows the airline to securely build and share APIs with external partners, as well as to experiment with new technology, according to Vitaly Faida, manager of IT product release engineering.

In a nod to MuleSoft’s new parent Salesforce, Landgraf put the full announcement into context for those enterprises looking at hybrid architectures, especially Salesforce users.

“Imagine someone who has an application on Force.com and that app interacts with three or four different databases and apps -- and something goes wrong. . . They need deep visibility into the issue to resolve it as quickly as possible. [Titan] will be able to help that customer identify and resolve that issue,” he said.